Bug 31091

Summary: libtiff new security issues CVE-2022-3599, CVE-2022-362[67]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libtiff-4.2.0-1.9.mga8.src.rpm CVE: CVE-2022-3599, CVE-2022-3626, CVE-2022-3627
Status comment:
Bug Depends on: 30999    
Bug Blocks:    

Description David Walser 2022-11-08 14:00:13 CET 
Ubuntu has issued an advisory today (November 8):
https://ubuntu.com/security/notices/USN-5714-1

Mageia 8 is also affected.

We can wait for Bug 30999 to be pushed (already validated) or collapse this into it.
David Walser 2022-11-08 14:00:34 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream and Ubuntu
Depends on: (none) => 30999

Comment 1 Nicolas Salguero 2022-11-09 09:58:50 CET 
CVE-2022-2953 was already fixed in bug 30999.

Summary: libtiff new security issues CVE-2022-2953, CVE-2022-3599, CVE-2022-362[67] => libtiff new security issues CVE-2022-3599, CVE-2022-362[67]

Comment 2 Nicolas Salguero 2022-11-09 10:10:45 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3599)

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3626)

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. (CVE-2022-3627)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3599
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3627
https://ubuntu.com/security/notices/USN-5714-1
========================

Updated packages in core/updates_testing:
========================
lib(64)tiff5-4.2.0-1.10.mga8
lib(64)tiff-devel-4.2.0-1.10.mga8
lib(64)tiff-static-devel-4.2.0-1.10.mga8
libtiff-progs-4.2.0-1.10.mga8

from SRPM:
libtiff-4.2.0-1.10.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-3599, CVE-2022-3626, CVE-2022-3627
Version: Cauldron => 8
Status comment: Patches available from upstream and Ubuntu => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2022-11-12 12:01:50 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Followed wiki:
remark as in previous versions that bmp2tiff command does not exist anymore
Then:
$ tiff2pdf 1973-024.tif > 1973.pdf
pdf file looks OK in atril
$ tiffinfo 1973-024.tif 
TIFF Directory at offset 0x2e9da08 (48880136)
  Subfile Type: (0 = 0x0)
  Image Width: 2904 Image Length: 4208
  Resolution: 3200, 3200 pixels/inch
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Extra Samples: 1<assoc-alpha>
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 4
  Rows/Strip: 64
  Planar Configuration: single image plane
  DocumentName: /home/herman/HV/fotos/kleurnegatieven/1973/1973-024.tif
  ImageDescription: Created with GIMP
$ gimp 1973-024.tif 
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
Warning: Unknown input_id: -1 for input: surfacemap_x
bps: 8
Image dimensions: 2904 x 4208.
load_contiguous
bytes_per_pixel: 4, format: 4
file looks OK.
As  in previous versions the raw2tiff command does not produce any valid output with raw files from Olympus and Canon cameras. On a Nikon one it hangs.
But these are not regressions, so OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-11-12 15:49:19 CET 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-13 00:25:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-11-13 03:27:09 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0424.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2022-11-29 13:43:39 CET 
CVE-2022-3597 was also fixed in this update.
Comment 7 David Walser 2022-11-29 13:43:55 CET 
*** Bug 31199 has been marked as a duplicate of this bug. ***
Comment 8 David Walser 2023-05-14 01:44:26 CEST 
CVE-2023-30774 was fixed by the patch for CVE-2022-3599, says Nicolas.
Comment 9 David Walser 2023-05-14 01:45:32 CEST 
*** Bug 31899 has been marked as a duplicate of this bug. ***